meta-dependencytrack is a Yocto meta-layer which produces a CycloneDX Software Bill of Materials (aka SBOM) from your root filesystem and then uploads it to a Dependency-Track server against the project of your choice.
To install this meta-layer simply clone the repository into the sources directory and add it to your build/conf/bblayers.conf file:
$ cd sources
$ git clone https://github.com/bgnetworks/meta-dependencytrack.gitand in your bblayers.conf file:
BBLAYERS += "${BSPDIR}/sources/meta-dependencytrack"To enable and configure the layer simply inherit the dependency-track class in your local.conf file and then set the following variables:
DEPENDENCYTRACK_PROJECT- The ID of the project in Dependency-TrackDEPENDENCYTRACK_API_URL- The URL of the Dependency-Track API server. (Note: this is usually different from the URL of the web server you use in your browser)DEPENDENCYTRACK_API_KEY- An authentication key for the server. You can find these in theTeamssection of theAdminitrationpage in Dependency-Track.
DEPENDENCYTRACK_PROJECT = "41990900-1b3c-4ccd-8b55-57dd0ddc32d9"
DEPENDENCYTRACK_API_URL = "http://localhost:8081/api"
DEPENDENCYTRACK_API_KEY = "mkj6wn4dziQm7UmrBJcym5f6hOKBDxGB"
INHERIT += "dependency-track"
Once everything is configured simply build your image as you normally would. The final CycloneDX SBOM is saved as tmp/deploy/dependency-track/bom.json and, after buiding is complete, you should be able to simply refresh the project in Dependency Track to see the results of the scan.